XML-RPC is a protocol that allows the use of XML for data exchange. Using this, a person can send HTTP requests to a remote server by creating input parameters in XML form and get a response. In WordPress, the XML-RPC protcol is used profoundly. The functionality of it is enabled by default since the WordPress 3.5 came out. It allows third-party apps and mobile devices to communicate with WordPress system.
That being said, the protocol creates vulnerabilities for the WordPress system. Someone with enough skills can abuse your website. Some of the most common attacks that use XML-RPC protocol are:
The best way to safeguard your website/server against any WordPress XML-RPC exploits is to add the following lines in your .htaccess file:
To check if the code is working properly, try accessing the xmlrpc.php file from a browser. If you see ‘403- Forbidden message’, then the code is working properly.
If you want the redirects to be directed somewhere, you have to RedirectMatch like this:
You can turn down all access requests made to xmlrpc.php file. Include this code within the file:
If you want to allow access to only select IP addresses, then include this line:
If you want to disable XML-RPC on your website, then open wp_config.php and look for this line - ABSPATH .‘wp-settings.php’. Under it, add the following code:
So that’s how you deal with XML-RPC on WordPress system and prevent any attacks. In case of error, recheck that you’ve implemented the codes correctly or contact the hosting support team.
That being said, the protocol creates vulnerabilities for the WordPress system. Someone with enough skills can abuse your website. Some of the most common attacks that use XML-RPC protocol are:
- Intel gathering (where the hacker probes about the specific ports in the internal network)
- Port scanning (where the attacker port-scan hosts)
- DoS attack (attacker sends a high number of requests to network, thus taking down the entire server)
- Route hacking (when a hacker reconfigures an internal router)
The best way to safeguard your website/server against any WordPress XML-RPC exploits is to add the following lines in your .htaccess file:
Code:
# protect xmlrpc
RedirectMatch 403 /xmlrpc.php
If you want the redirects to be directed somewhere, you have to RedirectMatch like this:
Code:
# protect xmlrpc
Redirect 301 /xmlrpc.php http://anywebsite.com/any-page.php
Code:
# protect xmlrpc
Order Deny,Allow
Deny from all
Code:
# protect xmlrpc
Order Deny,Allow
Deny from all
Allow from
Allow from
Code:
add_filter('xmlrpc_enabled', '__return_false');